Threat Group Cards: A Threat Actor Encyclopedia

APT group: PittyTiger, Pitty Panda

Names	PittyTiger (FireEye) Pitty Panda (CrowdStrike)
Country	China
Motivation	Information theft and espionage
First seen	2011
Description	(Airbus) Pitty Tiger is a group of attackers that have been active since at least 2011. They have targeted private companies in several sectors, such as defense and telecommunications, but also at least one government. We have been able to track down this group of attackers and can provide detailed information about them. We were able to collect and reveal their “malware arsenal”. We also analyzed their technical organization. Our investigations indicate that Pitty Tiger has not used any 0day vulnerability so far, rather they prefer using custom malware, developed for the group’s exclusive usage. Our discoveries indicate that Pitty Tiger is a group of attackers with the ability to stay under the radar, yet still not as mature as other groups of attackers we monitor. Pitty Tiger is probably not a state-sponsored group of attackers. They lack the experience and financial support that one would expect from state-sponsored attackers. We suppose this group is opportunistic and sells its services to probable competitors of their targets in the private sector. We have been able to leverage several attackers profiles, showing that the Pitty Tiger group is fairly small compared to other APT groups, which is probably why we saw them work on a very limited amount of targets. There is some overlap with APT 5, Keyhole Panda.
Observed	Sectors: Defense, Government, Telecommunications and Web development. Countries: Taiwan and Europe.
Tools used	Enfal, Gh0st RAT, gsecdump, Leo RAT, Mimikatz, Paladin RAT, pgift, Pitty, Poison Ivy.
Operations performed	2011	Operation “The Eye of the Tiger” <https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf>
	Jun 2014	We discovered this malware sample in June 2014, leading to a command & control (c&c) server still in activity. Our researches around the malware family revealed the “Pitty Tiger” group has been active since 2011, yet we found traces which makes us believe the group is active since 2010. <http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2>
	Jul 2014	During the last month, McAfee Labs researchers have uncovered targeted attacks carried out via spear phishing email against a French company. We have seen email sent to a large group of individuals in the organization. <https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/>
	2014	In a recent attack against a French company, the attackers sent simple, straightforward messages in English and French from free email addresses using names of actual employees of the targeted company. <https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html>
MITRE ATT&CK	<https://attack.mitre.org/groups/G0011/>

Last change to this card: 26 December 2021

Download this actor card in PDF or JSON format